2:13 a.m.
All,
While doing testing on TLS, I came across the mention of
"tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt
itself; a grep through the sources show that we are implementing
"tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing
something in
the sources? Should we update the libvirt.org documentation and remove that
(seemingly non-existent) parameter? Or should I go in and implement the
"tls_allowed_ip_list"?
--
Chris Lalancette
2:34 a.m.
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
All,
While doing testing on TLS, I came across the mention of
"tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt
itself; a grep through the sources show that we are implementing
"tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing
something in
the sources? Should we update the libvirt.org documentation and remove that
(seemingly non-existent) parameter? Or should I go in and implement the
"tls_allowed_ip_list"?
Hum, I don't remember the history, I guess the simplest is to make a
small change to the doc along the line "(not implemented yet)" and
work on a patch. Unless we really think dn certificate checks are really
superior and ip check is not needed (I have no opinion !)
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
2:34 a.m.
Daniel Veillard wrote:
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
> All,
> While doing testing on TLS, I came across the mention of
> "tls_allowed_ip_list" in the website documentation, here:
>
> http://libvirt.org/remote.html#Remote_libvirtd_configuration
>
> However, I don't see any implementation of the tls_allowed_ip_list in libvirt
> itself; a grep through the sources show that we are implementing
> "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I
missing something in
> the sources? Should we update the libvirt.org documentation and remove that
> (seemingly non-existent) parameter? Or should I go in and implement the
> "tls_allowed_ip_list"?
Hum, I don't remember the history, I guess the simplest is to make a
small change to the doc along the line "(not implemented yet)" and
work on a patch. Unless we really think dn certificate checks are really
superior and ip check is not needed (I have no opinion !)
Right, that was my thought too; perhaps DN checks are enough. I guess we should
let DanB weigh in, since it's basically a documentation issue at the moment.
--
Chris Lalancette
2:40 a.m.
On Tue, Mar 03, 2009 at 09:34:37AM +0100, Chris Lalancette wrote:
Daniel Veillard wrote:
> On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
>> All,
>> While doing testing on TLS, I came across the mention of
>> "tls_allowed_ip_list" in the website documentation, here:
>>
>> http://libvirt.org/remote.html#Remote_libvirtd_configuration
>>
>> However, I don't see any implementation of the tls_allowed_ip_list in
libvirt
>> itself; a grep through the sources show that we are implementing
>> "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I
missing something in
>> the sources? Should we update the libvirt.org documentation and remove that
>> (seemingly non-existent) parameter? Or should I go in and implement the
>> "tls_allowed_ip_list"?
>
> Hum, I don't remember the history, I guess the simplest is to make a
> small change to the doc along the line "(not implemented yet)" and
> work on a patch. Unless we really think dn certificate checks are really
> superior and ip check is not needed (I have no opinion !)
Right, that was my thought too; perhaps DN checks are enough. I guess we should
let DanB weigh in, since it's basically a documentation issue at the moment.
I'm suggesting the following if we still want to implement it later:
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
2:50 a.m.
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
All,
While doing testing on TLS, I came across the mention of
"tls_allowed_ip_list" in the website documentation, here:
http://libvirt.org/remote.html#Remote_libvirtd_configuration
However, I don't see any implementation of the tls_allowed_ip_list in libvirt
itself; a grep through the sources show that we are implementing
"tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I missing
something in
the sources? Should we update the libvirt.org documentation and remove that
(seemingly non-existent) parameter? Or should I go in and implement the
"tls_allowed_ip_list"?
That functionality was removed because it is utterly worthless as an
access control feature, and if you want to block rogue IP (ranges) you
can do it in iptables far more efficiently & flexibly anyway. The
docs just need to be removed
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
3:03 a.m.
On Tue, Mar 03, 2009 at 08:50:54AM +0000, Daniel P. Berrange wrote:
On Tue, Mar 03, 2009 at 09:13:14AM +0100, Chris Lalancette wrote:
> All,
> While doing testing on TLS, I came across the mention of
> "tls_allowed_ip_list" in the website documentation, here:
>
> http://libvirt.org/remote.html#Remote_libvirtd_configuration
>
> However, I don't see any implementation of the tls_allowed_ip_list in libvirt
> itself; a grep through the sources show that we are implementing
> "tls_allowed_dn_list", but not "tls_allowed_ip_list". Am I
missing something in
> the sources? Should we update the libvirt.org documentation and remove that
> (seemingly non-existent) parameter? Or should I go in and implement the
> "tls_allowed_ip_list"?
That functionality was removed because it is utterly worthless as an
access control feature, and if you want to block rogue IP (ranges) you
can do it in iptables far more efficiently & flexibly anyway. The
docs just need to be removed
okay, even simpler, I will do it before the release !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
5812
days inactive
5812
days old
5 comments
3 participants
participants (3)
-
Chris Lalancette -
Daniel P. Berrange -
Daniel Veillard